The custom format provider allows you to pick specific attributes from the package.json. Things like name, version or author can be picked nicely and will be drawn accordingly.

The markdown- and json- functions have been extended to support the custom formats.

Hi,

Nice to meet you.

I'm in the process of license validation and your tool was the closest to what I was looking for. It only missed a depth option management.

Here it is. I leveraged the depth option of read-installed package. It is not perfect because sometimes a npm install may installed dependencies of your direct dependencies at level 0. Anyway, it still allows filtering of node_modules.

I also documented the start option. Which I would I love to name path.

This could be used for potential license leaks. If you want to know if you have unknown or guessed licenses, you could simply add the '--onlyunknown' tag to only show those packages.

It looks like a lot of UNKNOWNs have a MIT license in the readme.

At https://github.com/davglass/license-checker/blob/d7dc3c199636e986b3ba293a67a30bbdfc7bf2b7/lib/index.js#L116-L117 there's a license(json.readme) check.

json.readme seems to come from var read = require('read-installed'); which doesn't seem to be maintained/updated anymore (https://github.com/npm/read-package-tree is the new one).

I think there's a bug which results in ERROR: No README data found! for the readme.

Hello everyone and a special hello to @davglass!

Thanks for this amazing package - it helps me not implement a lot of things i'd otherwise have to implement! 👍

Until now, restricting the generated output to specific packages (and versions) is not possible. In an environment where a legal department has to check every open source license that is part of a delivered product, the only way to handle this with the current version of license-checker is to scan all dependencies (including devDependencies).

Using the --production switch is not feasible in this scenario, because especially in frontend applications that are built using tooling such as webpack, parcel, rollup, browserify or others, the tools unfortunately don't care if a dependency that is included in a build artifact was listed as a or derived from a devDependency or a dependency.

Because the bulk of our builds is done with webpack, i'm implementing a webpack plugin that generates a list of packages and versions that are actually part of a build output and would love to use depend on license-checker to do the heavy-lifting in regards to checking licenses. To do so, i need a way to restrict the license-checker output to specific packages and versions while ignoring the rest.

Another way to deal with this would be to expose a method that can check the license of a single package, but that would involve a lot of refactoring, dealing with read-installed and more. I've tried it and it did not look & feel well.

Therefore, i've implemented an additional CLI switch called --packages that accepts a semicolon-separated list of package@version identifiers and restricts the output of license-checker to these packages. The code changes are minimal because all packages read by read-installed are checked and the filtered return value is then restricted to the given packages.

I'm aware that this is not the most performant solution, but i'm perfectly fine with that because i did not have to introduce a lot of changes and license-checker is pretty fast regardless.

Currently you can only blacklist licenses via -failOn

However, if you want to be more strict you probably want to explicitly whitelist the licenses which are ok for you.

Ideas:

• introduce a negation operator, e.g.: -failOn="!(MIT,Apache)"
• introduce another flag, e.g.: -notFailOn="MIT,Apache"

For some reason license-checked can't figure out the license for uid-number (package.json v0.0.6) and pouchdb-collections (package.json v1.0.1). Even though in both cases they do have a seemingly valid license field in their package.json.

I've checked with DEBUG=license-checker* and I don't see an error. I'm using license-checker 13.0.2, I've checked the package.json's of the versions I'm using (checking package-lock.json)

Could a little bit of documentation be added on how license-checker determines the license?

Hello,

It looks like when running license-checker with the --json flag, the JSON that's generated uses single quotes instead of double quotes, which means that parsing it with JSON.parse() fails.

I wonder how this could be combined with webpack (as a preloader?) to only really gather information about packages that are imported or required by the app.

I would like to suggest a new option to list licenses for dependencies, only. In other words, the license for the module defined by package.json itself shall be excluded. Assuming this can be controlled by a command line option "--dependencies" this can be achieved easily by the following patch.

https://github.com/mwittig/license-checker/commit/01cde66943beb1c403c880fe8e001f90ca75526f

Of course, some additional code will be required to set the command line option. I am happy to do that if the feature request finds your acceptance. Please also advise further about test requirements in case.

I would like an option to list licenses for "first" dependencies in the dependency tree. So in other words list dependencies only for the modules which are listed in package.json file's "dependencies".

We have a monorepo and publish private packages from it to NPM to be consumed by our applications.

The config for a package includes:

"name": "@example/packageName",
"license": "UNLICENSED",
"publishConfig": {
    "access": "restricted"
},

Packages marked as private: true are not published to the registry, so packages publishing private packages to NPM cannot use this.

From the NPM docs.

private

If you set "private": true in your package.json, then npm will refuse to publish it.

This is a way to prevent accidental publication of private repositories. If you would like to ensure that a given package is only ever published to a specific registry (for example, an internal registry), then use the publishConfig dictionary described below to override the registry config param at publish-time.

Inside apps that consume our packages we are running license-checker. Instead of reporting our packages as UNLICENSED, it reports them as UNKNOWN. This is because if the value of package's license field is UNKNOWN a value of null is returned from license. There is a subsequent check for UNLICENCED, but it only happens for packages that have private: true.

It is perfectly valid to have a license of UNLICENSED for a non-private package when published and consumed in this way so this feels like a bug.

Hi , Mkdrip (v0.5.x) needs "minimist" which is a High Security Issue in Whitesource . Mkdirp is now already getting 1.0.4 which totally exclude the "Minimist" Module. Could you guys please update to this newer Major Version of mkdirp ?

Thanks in advance

The package cluster-key-slot1.1.0 specifies the non-standard license name APACHE-2.0, see https://github.com/invertase/cluster-key-slot/blob/v1.1.0/package.json. This gets recognizes as Apache*. To reproduce: npx license-checker --packages '[email protected]' It could be recognized as Apache-2.0 if only the casing differs.

package.json file:

{
  "dependencies": {
    "react-highcharts": "^16.1.0"
  }
}

Run

npm i
license-checker --packages "[email protected]"

Output:

└─ [email protected]
   ├─ licenses: Custom: https://www.npmjs.com/package/highcharts-server
...

However, node_modules/highcharts/package.json has this:

"license": "https://www.highcharts.com/license"

The difference is significant, because highcharts-server is MIT-licensed, while highcharts has a commercial license.